CRITICAL🇵🇱 Wersja polska

CVE-2026-32306

CVSS 9.9v3.1pub. 2026-03-13upd. 2026-03-17

OneUptime is a solution for monitoring and managing online services. Prior to 10.0.23, the telemetry aggregation API accepts user-controlled aggregationType, aggregateColumnName, and aggregationTimestampColumnName parameters and interpolates them directly into ClickHouse SQL queries via the .append() method (documented as "trusted SQL"). There is no allowlist, no parameterized query binding, and no input validation. An authenticated user can inject arbitrary SQL into ClickHouse, enabling full database read (including telemetry data from all tenants), data modification, and potential remote code execution via ClickHouse table functions. This vulnerability is fixed in 10.0.23.

🤖 AI Analysis
How it works

The telemetry aggregation API accepts user-controlled parameters: aggregationType, aggregateColumnName, and aggregationTimestampColumnName. These values are directly interpolated into ClickHouse SQL queries using the .append() method, described internally as 'trusted SQL'. The absence of an allowlist, lack of parameterized query binding mechanism, and complete absence of input validation allows an attacker to arbitrarily shape the contents of the executed SQL query. Through appropriately crafted parameter values, it is possible to abuse ClickHouse's built-in table functions to escalate the attack.

Impact

An attacker can read telemetric data from all tenants (multi-tenant), modify or delete data in the ClickHouse database, and through ClickHouse table functions potentially execute remote code (RCE) on the server.

Mitigation & patch

OneUptime should be updated to version 10.0.23 or newer, in which the vulnerability has been fixed. Details available in the vendor's references: https://github.com/OneUptime/oneuptime/security/advisories/GHSA-p5g2-jm85-8g35

Who is affected

OneUptime (Hackerbay) in all versions prior to 10.0.23.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
  • Hackerbay Oneuptime

    APP
    Hackerbay
    < 10.0.23
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCESQLi
CWE
References

Related vulnerabilities

CVE-2026-34758CRITICAL9.1PL ✓ten sam produkt

OneUptime: nieautoryzowany dostęp do endpointów powiadomień i zarządzania numerami

CVE-2026-35053CRITICAL9.2PL ✓ten sam produkt

Brak uwierzytelnienia w endpointach workflow w OneUptime (RCE)

CVE-2026-34759CRITICAL9.2PL ✓ten sam produkt

Brak uwierzytelnienia w API powiadomień OneUptime — obejście autoryzacji

CVE-2026-33396CRITICAL9.9PL ✓ten sam produkt

RCE w OneUptime — command injection przez Playwright w Synthetic Monitor

CVE-2026-30921CRITICAL9.9PL ✓ten sam produkt

OneUptime: RCE przez niebezpieczny Playwright sandbox w Synthetic Monitors